[mod_gnutls-devel] Fix for Segfault with mod_gnutls in reverse proxy

Thomas Klute thomas2.klute at uni-dortmund.de
Tue Jan 13 17:30:08 CET 2015

Hi everyone,

I had some trouble with a virtual host as TLS endpoint using mod_gnutls.
Certain URLs should be handled by mod_proxy with a reverse proxy
configuration. I found that requests for files on the host worked just
fine, but requests on the reverse proxy URLs led to segfaults in the
worker thread.

I've located the problem in ssl_engine_disable: The function tries to
remove filters from the connection but does not check if those filters
are NULL before removing them. The Apache filter removal functions
apparently don't check either, which leads to the segfault. After adding
checks to ssl_engine_disable, the reverse proxy configuration works as
expected. :-)

My fix is available on Github (pull request below):

Best regards,
Thomas Klute

The following changes since commit c32240fe453de3ce9c48887f2ecd649a5555340f:

  switch from --long-arg=foo to --long-arg foo for certtool in test
suite (2014-09-24 13:01:57 -0400)

are available in the git repository at:

  https://github.com/airtower-luna/mod_gnutls.git proxy-segfault-fix

for you to fetch changes up to 3d361b8e5d7c4c971d344658728979fe978dc759:

  Check if filters exist before removing them in ssl_engine_disable
(2015-01-13 17:04:38 +0100)

Thomas Klute (2):
      Use proper GNUTLS_ENABLED_* macros in SSL proxy functions
      Check if filters exist before removing them in ssl_engine_disable

 src/mod_gnutls.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

More information about the mod_gnutls-devel mailing list